Who We Are ?
The FIRSTSTEP-OG website (hereinafter the “Site”) is operated by FirstStep-OG Inc, a corporation incorporated under Canadian federal law (BN 1710599-1), with its registered office at 929 Vanier Road, Apt 306, Gatineau QC J9J 0C3. We assist newcomers to Canada with airport transportation, furnished housing and essential administrative procedures (SIN/NAS, banking, etc.).
Applicable Legal Framework
- PIPEDA – Personal Information Protection and Electronic Documents Act (federal)
- Québec Private-Sector Privacy Act, as amended by Bill 25
- CASL – Canada’s Anti-Spam Legislation
Definitions
- “Personal information” : any information about an identifiable individual (PIPEDA, s. 2).
- “Processing”: any operation involving such information (collection, use, disclosure, retention or destruction).
Information We Collect
| Category | Examples | When Collected |
|---|---|---|
| Identity | surname, given name, arrival date… | Quote / booking form |
| Contact | e-mail, phone, WhatsApp | Form, chat, call |
| Service data | assigned SIN/NAS, chosen bank | While the service is being delivered |
| Payment | amount, method (Stripe, Interac, credit / debit card, cash…) | At invoicing |
| Browsing | IP address, cookies, logs | Visiting the Site |
Purposes and Legal Bases
| Purpose | Legal basis |
|---|---|
| Prepare your quote / book a service | Contract performance (PIPEDA s. 4.3) |
| Respond to your questions (WhatsApp, Facebook, e-mail) | Legitimate interest (customer service) |
| E-mail marketing (newsletter) | Express consent (opt-in – Bill 25 s. 66 / CASL) |
| Audience analytics (Google Analytics 4) | Consent via cookie banner |
Consent
We obtain your free, informed and revocable consent:
- A separate checkbox for the newsletter (“I wish to receive…”).
- Granular cookie settings (essential vs. analytics).
You may withdraw consent at any time via the “Unsubscribe” link or by writing to privacy@firststep-og.ca.
Disclosure to Third Parties
We do not sell your data. We disclose it only :
- To our transport and housing partners (name, arrival date).
- To Service Canada or financial institutions—with your written consent—to obtain a SIN/NAS or open a bank account.
- To authorities where required by law.
Hosting and International Transfers
Data are stored on Namecheap (Phoenix, Arizona, USA). Some processors (e.g., Stripe) may transfer data to the United States; such flows are protected by contractual clauses and encryption.
Retention
Service records are kept five years after the service ends (tax requirements). Inactive marketing data are deleted after 24 months.
Your Rights
Under the above laws you have the right to :
- Access and port your information.
- Rectify or update it.
- Withdraw consent / erase data (“right to be forgotten,” Québec s. 27).
- Object to automated profiling.
To exercise any right: privacy@firststep-og.caor by post. We reply within 30 days.
Security
TLS 1.3 encryption in transit, AES-256 encryption at rest, internal two-factor authentication and least-privilege access policies.
Cookies
TCF v2-compliant banner. Preferences can be changed at any time (“Cookie Settings” in the footer).
Complaints
- Québec: Commission d’accès à l’information du Québec (CAI)
- Canada: Office of the Privacy Commissioner of Canada (OPC)
Policy Updates
Last revision: 11 July 2025. Major changes will be announced 14 days before they take effect.
Legislative Foundations
| Statute | Abbreviation | Cited sections |
|---|---|---|
| Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 | PIPEDA | ss. 2, 4.3, 4.5, 4.7, 10.1 |
| Québec Private-Sector Privacy Act, CQLR c. P-39.1, as amended by Bill 25 | LPRPSP | ss. 3.1, 4, 8, 10, 17, 23–28, 39.3–39.5 |
| Canada’s Anti-Spam Legislation, S.C. 2010, c. 23 | CASL | ss. 6–11 |
| Electronic Commerce Protection Regulations, SOR/2012-36 | – | — |
| Access to Information and Protection of Personal Information Act (Québec), CQLR c. A-2.1 | — | s. 53 |
Guiding Principles
- Accountability – processing-activities register kept (s. 3.2 LPRPSP)
- Identified Purpose – stated before collection (s. 4)
- Valid Consent – free, informed, clear (s. 14 PIPEDA & LPRPSP)
- Collection Limitation – data minimisation (“privacy by default,” s. 9)
- Accuracy – kept up to date (s. 11)
- Proportionate Security – AES-256, MFA (s. 10 PIPEDA & LPRPSP)
- Transparency & Access – 30-day access right (s. 23 LPRPSP)
- Limited Retention – 5 years (tax rules, ITA s. 230(4))
- Portability – structured technological format (s. 27 LPRPSP, 22 Sept 2025)
- Breach Notification – CAI + OPC within 72 h (s. 10.1 PIPEDA; ss. 3.5 & 3.8 LPRPSP)
Processing Table
| Purpose | Data | Legal basis (section) | Duration | Shared with |
|---|---|---|---|---|
| Booking & contract performance | identity, contact details, arrival date | Contract (s. 4.3 PIPEDA / 8 LPRPSP) | 5 years | driver, landlord, Service Canada |
| Newsletter marketing | name + e-mail | Consent (CASL s. 6 / LPRPSP s. 14) | Until withdrawal | Mailchimp (servers CA-East) |
| Billing & tax obligations | name, address, payment | Legal obligation (s. 7(3) PIPEDA) | 6 years | Canada Revenue Agency |
| GA4 statistics | IP address, cookies | Consent (cookie banner) | 14 months (GA4 setting) | Google Ireland → transfer EU→CA under SCC 2021/914 |
Exercising Your Rights
- Access / rectification: PIPEDA ss. 12–16; LPRPSP s. 27
- Withdraw consent: PIPEDA s. 18; LPRPSP s. 8(5)
- Erasure (“right to be forgotten”): LPRPSP s. 28 (in force 2024)
- Portability: LPRPSP s. 27 (22 Sept 2025)
- Automated decision-making: disclosure required (LPRPSP s. 12.1)
Requests → privacy@firststep-og.ca. Response within 30 days (LPRPSP s. 8).
Possible Recourse
- Commission d’accès à l’information du Québec – CQLR c. A-2.1, s. 135
- Office of the Privacy Commissioner of Canada – PIPEDA, s. 11